Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Unable to forward syslog to third-party syslog server

michaeltay
Path Finder
‎03-06-2017 11:58 PM

I have two heavy forwarders that are responsible for sending syslog events via TCP to a third-party syslog server.

props.conf

[host::<fqdn>]
TRANSFORMS-routing = send_to_syslog

transforms.conf

[send_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = syslog_siem

outputs.conf

[syslog:syslog_siem]
type = tcp
server = <IP>:<port>

I am currently facing this error:

03-05-2017 00:41:43.058 +0800 ERROR DistributedClient -  Write error The operation completed successfully.
03-05-2017 00:41:43.058 +0800 ERROR OutputProc - Failed to send data to <IP>:<port>. Failed to send data with TCPClient::send. err=-3

I am 100% sure it is not a network issue. The : is actually a load balancer IP address for the syslog server.

I have tried to use the same configuration to forward to a Splunk instance, and it works beautifully.

May I know what is wrong?

0 Karma
Reply

sduff_splunk
Splunk Employee
Splunk Employee
‎03-07-2017 03:37 PM

I would check firewalls are not blocking the traffic between Splunk and your syslog server. Can you also try using udp instead of tcp as a test?

Also run

 splunk btool outputs list --debug

and confirm the outputs are being parsed correctly and there are no other config items overwritting your settings.

0 Karma
Reply

michaeltay
Path Finder
‎03-07-2017 05:59 PM

Besides forwarding the syslog events to a third-party syslog server, I am also forwarding certain syslog events to the indexer. I'm also using tcpout to send Windows event logs to port 9997 of the indexer.

transforms.conf

[send_to_both]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = syslog_siem, syslog_indexer

[send_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = syslog_siem

outputs.conf

[syslog]
defaultGroup = syslog_everything

[syslog:syslog_siem]
type = tcp
server = <IP>:<port>

[syslog:syslog_indexer]
type = udp
server = <IP>:<port>

[syslog:syslog_everything]

[tcpout]
defaultGroup = send_to_indexer

[tcpout:send_to_indexer]
server = <IP>:9997

[tcpout-server://<IP>:9997]
0 Karma
Reply

michaeltay
Path Finder
‎03-07-2017 05:19 PM

Hi sduff,

It's not a firewall issue, as I am able to establish connection to the load balancer via the specified TCP port.

Unfortunately, it is impossible to change the connection to UDP.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...